Protection of Health Information
Health and social services information, or Patient Information, is any information that allows a person to be identified, directly or indirectly, and that concerns the person’s physical or mental health, or health or social services provided to the person.
Health and Social Services at Concordia
At Concordia, a medical clinic is available to students and employees, and students may also access counselling and psychological services with Health and Mental Health Services. Counselling is also available through Sexual Assault Resource Centre (SARC). Both of these units carefully protect the health and social services information that comes into their possession via these services.
Information governance guidelines
Concordia has Guidelines regarding the protection of personal information applicable to Concordia’s Health and Mental Health Services and SARC that set out details like the roles and responsibilities of personnel and professionals with regard to Patient Information, the security measures put in place to protect it, and procedures for processing privacy incidents and complaints.
Patient Information Officers
The people in charge of the protection of Patient Information at Concordia University:
Dr. Jeffrey Levitt
Manager, Mental Health Services
Health Services
1455 De Maisonneuve Blvd. W., GM 200-21
Montreal, QC H3G 1M8
Tel.: 514-848-2424 ext 3576
jeffrey.levitt@concordia.ca
Lauren Stoddard
Manager, Case Management Services
Campus Wellness and Support Services
1455 De Maisonneuve Blvd. W., GM 300-26
Montreal, QC H3G 1M8
Tel.: 514-848-2424 ext 4386
lauren.stoddard@concordia.ca
Jennifer (JD) Drummond
Manager, Sexual Assault Resource Centre
1400 De Maisonneuve Blvd. W., LB-720
Montreal, QC H3G 1M8
Tel.: 514-848-2424 ext 3353
jennifer.drummond@concordia.ca
Register of technological products and services employed
Quebec law seeks to ensure that health and social services information is managed in a secure and transparent way. Organizations dealing with such information are required to keep a register of technological products and services they use along with an indication of whether the product or service is certified by the Minister and whether it uses information to render a decision based exclusively on automated processing. Any product or service listed that has not been certified is subject to a privacy impact assessment.
Concordia’s Health and Mental Health Services and SARC use the following technological products and services:
Description and purpose(s): Electronic Medical Records (EMR) system that allows healthcare providers to store, track and manage patient information
Supplier: Omnimed.com Inc
Used to render a decision based exclusively on automated processing: No
Certified by the ministre de la Santé et des Services sociaux.
Description and purpose(s): System that allows healthcare providers to store, track and manage patient information
Supplier: TechnoPro Computer Solutions Inc
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): Portal facilitating virtual appointments and secure messaging; stores forms and surveys
Supplier: Qualifacts Systems, LLC
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): Measurement Based Care platform that captures data including clinical assessments and progress over time
Supplier: Greenspace Mental Health Ltd.
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): Queuing management system that notifies patients
Supplier: Electronique Microtech Canada Inc.
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): An electronic signature solution for consent and referral forms
Supplier: Docusign, Inc.
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): System that allows healthcare providers to store, track and manage patient information
Supplier: Microsoft
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): SARC patient files are maintained in password-protected Excel and Word files
Supplier: Microsoft
Used to render a decision based exclusively on automated processing: No
Description and purpose(s): Platform to schedule and manage bookings for SARC
Supplier: Microsoft
Used to render a decision based exclusively on automated processing: No
Guidelines regarding the protection of Patient information
The Guidelines set out the obligations of Concordia’s Health Services, Counselling and Psychological Services and certain other professionals working at Concordia’s Sexual Assault Resource Center (“SARC”) (collectively referred to in these Guidelines as the “Health and Mental Health Services”) regarding the protection of personal information collected and held by those units. The present Guidelines may be updated from time to time.
Applicable legislation includes:
- An Act respecting health and social services information, chapter R-22.1 (the “Act”)
- Regulation respecting the governance of health and social services information
- Regulation respecting the application of certain provisions of the Act respecting health and social services information
Concordia University (the “University”) is subject to the privacy regime set out in the Act respecting Access to documents held by public bodies and the Protection of personal information, chapter A-2.1, which is reflected in the Policy Regarding the Protection of Personal Information and Access to Information (SG-9) (the “Policy”). However, with respect to certain personal information and sensitive personal information held by Health and Mental Health Services, these Guidelines supersede the Policy.
Definitions
- “Health Professional” means any person practicing their profession within Health and Mental Health Services, including but not limited to nurses, medical doctors, mental health professionals, social workers, students and/or trainees.
- “Patient Information” means any Personal Information, including Sensitive Personal Information, that concerns the individual’s physical or mental health.
- “Patient Information Officer” means the person in charge of the protection of Patient Information.
- “Personal Information” means any information (whether it is held in paper, electronic or any other medium) about an individual, which allows an individual to be directly or indirectly identified.
- “Privacy Incident” means any unauthorized access to, use of, or disclosure of Personal Information, or any loss or breach of the security of such information.
- “Privacy Officer” means the person responsible for the application of the Policy and the protection of Personal Information at the University.
- “Sensitive Personal Information” means any Personal Information which, due to its highly personal nature, and/or the context of its use or communication, requires a higher level of confidentiality, such as medical and/or biometric information.
Roles & responsibilities
1. The person with the highest authority within Health Services, Counselling and Psychological Services (the “Director”) and SARC (the “Manager”), or their delegate, exercises the function of Patient Information Officer.
2. The Patient Information Officer is responsible for:
- the protection of Patient Information;
- the application of these guidelines;
- verifying that the technological products or services used by Health and Mental Health Services provide the necessary protection of the Patient Information they contain;
- monitoring compliance with applicable privacy laws; and
- responding to requests for access to or rectification of Patient Information.
3. The following categories of persons may use Patient Information in the exercise of their functions:
- administrative personnel and managers;
- Health Professionals.
Training
4. Health Professionals, volunteers, and any employees working with Health and Mental Health Services shall receive regular training regarding the protection of Patient Information.
Handling of Patient Information
5. Health and Mental Health Services collect Personal Information that is necessary for the fulfillment of their services.
6. Personal Information is collected from an individual based on clear, free and informed consent given for specific purposes. Such consent is valid for the time necessary to fulfill the purposes for which it was requested.
7. Health and Mental Health Services must manage the access of their personnel to Personal Information so that only those who require access to Personal Information in the course of their duties have such access.
8. Subject to the exceptions permitted in the law, Health and Mental Health Services will not disclose Personal Information without the consent of the Individual. Consent must be expressly given when Sensitive Personal Information is involved.
9. Health and Mental Health Services may communicate Personal Information without consent where it is necessary for public safety or in certain situations including the following:
- to protect a person or an identifiable group of people when there is reasonable cause to believe that a serious risk of death or of serious bodily injury, related in particular to a disappearance or to an act of violence, threatens the person or group and where the nature of the threat generates a sense of urgency;
- for the prosecution of an offence against an Act applicable in Quebec;
- certain types of police interventions aimed at supporting or assisting a person requiring such intervention.
10. The retention of Patient Information is governed in accordance with the University’s Records Classification and Retention Rules.
Individual Rights
11. Any Individual whose Patient Information is held by Health and Mental Health Services has the right to access their Patient Information and to obtain a copy of it, subject to certain exceptions identified in applicable laws.
12. Any Individual whose Patient Information is held by Health and Mental Health Services may:
- seek the rectification of any incomplete or inaccurate Patient Information;
- restrict access to their Patient Information from a particular service provider or category of service providers;
- refuse access to their Patient Information in circumstances provided for in the Act; and
- be informed, upon request, of consultations of their Patient Information.
Complaints
13. Complaints regarding the protection of Patient Information may be directed to the Patient Information Officer.
Security Measures
14. Health and Mental Health Services implement reasonable security measures aimed at protecting the confidentiality, integrity and accessibility of Patient Information. Security measures include managing access to Patient Information and tracking the consultation of Patient Information.
Privacy Incidents
15. Privacy Incidents or suspected Privacy Incidents must be reported to the Privacy Officer and recorded in the Privacy Incident Register: an Incident Register form is available for this purpose.
Technological Products and Services
16. The University will publish on its website a register of the technological products or services used by Health and Mental Health Services.
17. Health and Mental Health Services will maintain a calendar of known or expected termination dates for the technological products and services it uses for the purpose of analyzing in advance whether to maintain or replace them.
Report a Privacy Incident
Privacy Incidents and suspected Privacy Incidents must be reported to the Privacy Officer and recorded in the Privacy Incident Register: an Incident Register form is available for this purpose.
